Weekly Vulnerabilities Reports > May 5 to 11, 2008

Overview

3 new vulnerabilities reported during this period, including 2 critical vulnerabilities and 1 high severity vulnerabilities. This weekly summary report vulnerabilities in 7 products from 6 vendors including PHP, Fedoraproject, Canonical, Apple, and Debian. Vulnerabilities are notably categorized as "Missing Release of Resource after Effective Lifetime", "Insufficient Entropy", and "Incorrect Calculation of Buffer Size".

  • 3 reported vulnerabilities are remotely exploitables.
  • 3 reported vulnerabilities are exploitable by an anonymous user.
  • PHP has the most reported vulnerabilities, with 2 reported vulnerabilities.
  • PHP has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

2 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2008-05-07 CVE-2008-2108 PHP
Fedoraproject
Canonical
Debian
Insufficient Entropy vulnerability in multiple products

The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force attacks against protection mechanisms that use the rand and mt_rand functions.

9.8
2008-05-05 CVE-2008-0599 PHP
Fedoraproject
Canonical
Apple
Incorrect Calculation of Buffer Size vulnerability in multiple products

The init_request_info function in sapi/cgi/cgi_main.c in PHP before 5.2.6 does not properly consider operator precedence when calculating the length of PATH_TRANSLATED, which might allow remote attackers to execute arbitrary code via a crafted URI.

9.8

1 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2008-05-09 CVE-2008-2122 IBM Missing Release of Resource after Effective Lifetime vulnerability in IBM Rational Build Forge 7.0.2

IBM Rational Build Forge 7.0.2 allows remote attackers to cause a denial of service (CPU consumption) via a port scan, which spawns multiple bfagent server processes that attempt to read data from closed sockets.

7.5

0 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS